ECB holds sway in new banking order

In May 2017 a small German state-owned bank lost its fight to escape the clutches of ECB supervision in the first judgement handed down by European General Court relating to Single Supervisory Mechanism (SSM).

When it was introduced in November 2014, the SSM created an institutionalized process of supervising credit institutions and became one of three pillars of European Banking Union along with the Single Resolution Mechanism (SRM) and the European Deposit Guarantee Scheme (DGS). The SSM also established the European Central Bank (ECB) as the lead supervisory body for Eurozone banks holding more than €30 billion in assets. Landeskreditbank Baden- Württemberg, which has assets of €70 billion, argued that it should be regulated instead by its national competent authority (NCA)—in this case German watchdog Bafin and the Bundesbank– rather than the ECB on the grounds that its debt is guaranteed by the state of Baden- Württemberg, and as such it posed no systemic threat. L-Bank preferred to be supervised by its national regulator because of the lower cost of compliance.

The General Court rejected the L-Banks’s claim in every aspect. It stated that an exemption from the ECB’s supervision can only be made upon proof that the NCAs’ supervision is better able to attain the supervisory objectives. Hence, L-Bank`s plea that the German NCAs’ supervision was sufficient to attain these objectives couldn’t justify its claim. In short, the judge ruled that the ECB has free reign when it comes to which banks it wants to supervise and delegates to NCAs at its own discretion.

€30 billion

Banks with more than €30 billion in assets fall under ECB Supervision

FRO: Henning, some observers have been disappointed by the L-Bank judgment, criticizing its "pro-centralization stance" and the fact that it does not address "the substantive questions at hand." Is this convincing?

Henning Berger (HB): In my view, these observers don’t take into account the circumstances of the case. The L-Bank judgment dealt with a rather narrow legal question and seems to have been led more out of principle than to clarify many of the open questions regarding the SSM. One of these questions concerns the competent courts when the ECB and the NCAs act "in concert". Regarding the latter, there are currently a number of pending cases before the General Court concerning the European Banking Levy, which may give a better understanding of the court’s review of administrative decisions in the European Banking Union.

FRO: So is there anything we can infer from the L-Bank judgment?

HB: The court has confirmed that there is no easy escape from the supervision of the ECB: The ECB has a margin of discretion concerning the question of whether an exemption from its supervision should be made due to its inappropriateness. Hence, the judgment confirms what was to be expected: Significant credit institutions will remain under the direct supervision of the ECB and cannot expect to be easily released into the supervision of the NCAs.

SSM created an institutionalized process of supervising credit institutions

FRO: Taking into account the leading position of the ECB in the SSM, what is the remaining role of the NCAs? And how can an institution determine the competent authority?

HB: In general, supervision is now under the umbrella of the ECB, but the NCAs still play an important role in the process. Both act in close cooperation. Firstly, in order to determine the competent authority, we must differentiate between CRR-credit institutions categorized as significant and those that are not. The supervision of significant institutions is carried out directly by the ECB, whereas the supervision of non-significant institutions lies in the hands of the NCAs.

Regardless of the size and significance of an institution, the ECB has some exclusive competences, such as the granting or withdrawal of banking authorizations. But this exclusive competence does not mean that NCAs are excluded from the decision. For example, in case of the authorization of an institution, requests must be addressed to the acting NCAs. The NCAs review the criteria and prepare reasoned proposals for the ECB, which then reviews and adopts where appropriate. In a nutshell, the SSM is a complex and interwoven system of shared and sole competencies. The ECB and NCAs are acting in close cooperation, but in most cases the ECB has the last word.

FRO: In case a decision is made by the ECB but prepared by the NCA, for example the withdrawal of an authorization, related what are the legal steps an institution can undertake to defend itself?

HB: All ECB decisions can be reviewed on an administrative level and an institution can seek judicial protection irrespectively. The competent court depends on the measure in dispute. National administrative courts have exclusive jurisdiction in matters of legal protection against measures taken by a national authority. The actions of a Union authority can only be reviewed by the Court of Justice of the European Union (ECJ).

As some decisions by the SSM are composed of actions by both the NCAs and the ECB, it may be necessary to take legal action before national courts and the ECJ in parallel. In cases where the allocation of a measure is not clear, it may be necessary to seek legal protection before both courts simply as a precaution. The pending cases concerning the European Banking Levy demonstrate how difficult it is even for the authorities themselves to determine who is responsible for a certain measure.

SSM is a complex and interwoven system of shared and sole competencies

FRO: The NCAs and ECB apply both European Law, for example the SSM Regulation, and national law. Doesn’t this lead to uncertainties when there are different rules?

HB: There can be uncertainties, but that’s not always the case. Basically, the new European norms apply in addition to the existing national supervisory law, such as the French code monétaire et financier or the German KWG. Together, they establish the supervisory requirements that an institution has to fulfill. Conflicts can result from the fact that these requirements are applied by both the ECB and the NCAs, and the authorities may deviate in their practices. In this regard, a revolutionary feature of the SSM is that the ECB must apply national law based on European law. As the applicable national laws may differ, the ECB will strive to harmonize its practice as far as possible.

FRO: Are there examples of this practice?

HB: Of course. For example, in the ECB’s application of the fit-and-proper-rule, the compulsory assessment procedure concerning the appointment of new management does not apply across the entire EU. However, the ECB has developed a formal procedure that it applies to the appointment process within all member states. Consequently, in member states that don’t prescribe the formal approval of members of the management body, the ECB has factually introduced such a procedure of approval. This has a significant impact, as fit-and-proper proceedings are of great practical relevance to the institutions.

FRO: All in all, what are the main challenges banks have to face under the SSM?

HB: As the practice of the SSM and the courts develops over time, a clearer allocation of procedural acts and competencies will emerge, making it no longer necessary to seek legal parallel protection. The same is true for other legal uncertainties as the standards of fit and proper the ECB can apply.

Besides that, language barriers between the ECB on the one hand and NCAs and banks on the other hand can be challenging. Even though institutions can choose the language they use for their communication with the ECB, the latter usually aims at establishing English as the language of communication. The communication between the ECB and NCAs has been agreed to be in English. Still, the internal working language in most NCAs and banks is not English. This does not only entail a substantial translation workload, but also a lack of transparency and comprehensibility, especially when an institution cannot easily clarify and defend its practice to the ECB. At first sight, this may seem surprising, but in practice it can be quite an issue.

Meanwhile differing legal cultures among the member states can lead to a diverging understanding of the applicable supervisory criteria and the extent of judicial review of decisions. Although joint supervisory teams (JSTs) have been created to discuss these differences, the ECB’s practical approach can differ from that of the NCAs. As a result, banks may expect a different interpretation of the prudential regulations based on national practice than the ECB will take. All in all, the SSM is a perfect example of the special challenges and difficulties of European cooperation and integration in general. Overcoming these is an ongoing process.

How state aid survived the Italian banking crisis

There is much to admire in the EU's handling of the Italian banking crisis, but in allowing two lenders to escape BRRD rules, it has raised questions on the consistency of the EU state aid and resolution framework.

How state aid survived the Italian banking crisis

There is much to admire in the EU's handling of the Italian banking crisis, but in allowing two lenders to escape BRRD rules, it has raised questions on the consistency of the EU state aid and resolution framework.

June 2017, the European Central Bank (ECB) declared that two Italian banks, Veneto Banca (VB) and Banca Popolare di Vicenza (BPVI) were "failing or likely to fail." But rather than the two lenders being subject to the EU’s bank resolution and recovery directive (BRRD), the Single Resolution Board (SRB) allowed them to be liquidated under Italian insolvency law.

It was seen as a controversial step in some quarters and raised the question of why the Italian banks were spared the bail-in legislation and the BRRD rules designed specifically to resolve failing financial institutions.

Downfall of the Veneto banks is only partially attributable to the stagnation of the Italian economy

What went wrong in Veneto

Italy has the largest number of non-performing loans (NPL) in the entire European banking sector following a prolonged recession. But the downfall of the Veneto banks is only partially attributable to the stagnation of the Italian economy in the last decade, and was rather caused by weak management practices deriving from their nature of cooperative "popular" banks (banche popolari)—namely, the modalities used to determine their share price and the loans disbursed to their clients to finance the subscription of their shares.

As the banks’ shares were not listed, their value was determined each year by the boards of directors of the two banks and approved by their shareholders, in accordance with the Italian rules for non-listed cooperative companies. This mechanism progressively inflated the share value of the two Veneto banks, which continued to grow while the share price of listed popular banks was sensibly shrinking, and reached a peak of €62.5 (BPVI) and €39.5 (VB) per share in 2014. A large number of the banks’ clients (including retail investors) invested their savings in the banks’ shares, being also attracted by the exponential growth of the share value. Clients of both Veneto banks were able to trade their shares with the banks themselves or other shareholders, and the existence of this "internal market" for the shares was ensuring a minimum degree of liquidity to their investments.

The banks’ shares subsequently became illiquid due to both a steady decrease in clients’ demand and the restrictions on the purchase by banks of their own shares introduced under the CRR (Regulation (EU) No. 575/2013), which limited the ability of the two banks to support the liquidity of the shares starting from 2014. This gave rise to disputes with clients, who were no longer able to monetize their investments by selling their shares. Clients’ discontent was further exacerbated when the price per share was reduced to €48 (BPVI) and €30.50 (VB) in 2015, mainly as a consequence of the €758.5 million (BPVI) and €968.4 million (VB) losses suffered by the banks in 2014.

The banks accumulated additional losses of €1.4 billion (BPVI) and €881.9 million (VB) in 2015, following on-site inspections conducted by the ECB in that year. The ECB requested that they deduct the value of the loans and other forms of financings that they had granted to their clients to fund the purchase of their own shares from their CET1, as imposed by the CRR rules. Capital ratios deteriorated also as a consequence of impairments and losses on the loans’ portfolio.

In 2016, the Renzi government introduced new rules requiring popular banks with assets exceeding €8 billion to convert to joint stock companies. The two Veneto banks resolved to change their legal form, raise new capital and list their shares via an initial public offering (IPO) on the Italian Stock Exchange. However, the IPOs of both banks failed and they were finally rescued by the Atlante fund—an alternative investment fund made up of Italian private and public investors (such as banking foundations and major financial institutions)—which subscribed to the entire capital increase of the banks at a price of €0.10 per share and became (almost) their sole shareholder with 99.33 percent of the share capital of BPVI and 97.64 percent of VB.

Notwithstanding the struggle of the new management to restore clients’ confidence, on June 23, 2017, VB and BPVI were declared "failing or likely to fail" by the ECB due to repeated breaches of capital requirements. On the same date, the SRB decided that resolution action in accordance with the BRRD and the rules governing the Single Resolution Mechanism (SRM) was not in the public interest and that, accordingly, the banks had to be liquidated under normal Italian insolvency proceedings. Then, on June 25, 2017, the Italian government put both banks into compulsory liquidation proceedings (liquidazione coatta amministrativa) in accordance with the special rules specifically introduced under the Law Decree No. 99/2017.

€8 billion

In 2016, the Renzi government introduced new rules requiring popular banks with assets exceeding €8 billion to convert to joint stock companies

A resolution outside the BRRD framework

In essence, under Law Decree No. 99/2017, the two Veneto banks have been liquidated through a BRRD-like resolution diverging from the BRRD principles on burden sharing and state aid.

The "good" assets of the two banks (including performing loans and tax assets) were transferred to Intesa Sanpaolo, along with senior liabilities (including deposits, state-guaranteed and other senior bonds) and other relationships (employees, shareholdings in other banks, branches, etc.). All other assets and liabilities (including, in particular, the claims of shareholders and subordinated bondholders) remained with the banks under liquidation proceedings, except for non-performing loans, which shall be transferred to Società per la Gestione delle Attività (SGA) —the Italian "bad bank" established in 1997 in connection with the restructuring of Banco di Napoli.

State aid was granted mainly in the form of cash injections to cover the capital absorption deriving from the acquisition of the "good banks" and public guarantees on certain obligations and undertakings of the banks. Retail and certain other investors that purchased subordinated bonds issued by the banks shall be compensated through the special fund created by the government to indemnify the subordinated bondholders of the four lenders (Banca delle Marche, Banca Etruria, CariFerrara and CariChieti) that were resolved in November 2015.

Although they were presented under a different label, the measures adopted by the Italian government are equivalent to the combined application of the sale of business, asset separation and bail-in tools in the context of a BRRD resolution, except for two major differences. Firstly, senior liabilities of the Veneto banks were not subject to burden sharing, which could have been the case if resolution authorities had exercised their bail-in powers under the BRRD/ SRM rules. Secondly, the resolution of the two banks was financed through public funds, rather than through a full bail-in of senior liabilities or the use of resolution funds or deposit guarantee schemes in accordance with the BRRD/ SRM framework.

The EC decision under the Banking Communication

Under EU law, if a bank is failing or likely to fail and the conditions for a resolution under the BRRD are not satisfied, the bank must be liquidated in accordance with the liquidation proceedings applicable under national law. The BRRD is however silent on whether and to what extent state aid can be granted in a normal insolvency scenario.

On June 25, 2017, the European Commission (EC) approved the state aid measures provided under the Law Decree No. 99/2017 and confirmed that outside the EU banking resolution framework, there is room for national governments to seek state aid approval under Article 107 of the Treaty on the Functioning of the European Union (TFEU) and the EC Communication on state aid in the banking sector of 2013 (so-called "Banking Communication").

Article 107(3)(b) of the TFEU allows national governments to adopt state aid measures in order to "remedy a serious disturbance in the economy of a Member State". Under the Banking Communication, in such circumstances, state aid is permitted only on terms resulting in an adequate burden sharing among those who invested in the bank—particularly shareholders and subordinated creditors (but excluding senior creditors).

Against this background, the EC acknowledged that the liquidation of VB and BPVI under the ordinary Italian liquidation proceedings would have determined a serious economic disturbance in the Veneto region, and agreed that existing shareholders and subordinated creditors of the banks fully contributed to the costs of the intervention as required by the Banking Communication.

Under EU law, if a bank is failing or likely to fail, and the conditions for a resolution under the BRRD are not satisfied, the bank must be liquidated

The "too-small-to-fail" paradox

Veneto is one of the richest regions of the Eurozone. It accounts for a non-negligible portion of the Italian GDP and has a solid industrial sector that is traditionally based on the efforts and work of a multitude of SMEs and individual entrepreneurs. The Bank of Italy said in a report to the Italian parliament that in the absence of state intervention, the liquidation of the Veneto banks could have forced approximately 100,000 SMEs and 200,000 households into the early repayment of the loans due to the banks under liquidation proceedings (worth around €26 billion), which could have led to widespread insolvencies and additional losses for the banks’ creditors. The Italian deposit guarantee scheme would not have been able to reimburse the banks’ insured depositors—unless through extraordinary contributions of Italian banks—and the government would have become liable to pay €8.6 billion as a consequence of the enforcement of the state guarantees covering senior bonds recently issued by BPVI and VB.

Against this background, the EC decision was welcomed in Italy as the lesser evil (if not a blessing) from a political standpoint. Yet this decision came as a surprise to several commentators, as it somehow appears to be at odds with the goals and spirit of the EU banking resolution framework. While the philosophy behind the BRRD is that public money should be used as a measure of last resort to rescue "too-big-to-fail" institutions, the case of the Veneto banks seems to show that public financial support can be granted under more permissive conditions for "smaller" banks—assuming that BPVI and VB could be considered as such.

Taking the EC decision to its extreme consequences, the corollary of this approach is that the risk of a serious economic disturbance in a region of an EU Member State may allow national governments to use public funds in a way that would otherwise be forbidden under the BRRD/ SRM rules to address a risk of significant adverse effects on and contagion to the stability of the financial system as a whole. Intuitively, one could argue that the system should work the other way round.

There are of course several arguments that justify this paradox—including that the state aid and BRRD/ SRM rules pursue different goals, that the "public interest" principle must accordingly be interpreted in different ways and that the use of public funds outside the BRRD rules may actually contribute to preventing financial disruption and restoring confidence in the banking system. However, the acceptance of the above corollary could ultimately undermine the consistency of the EU banking resolution framework.

EU authorities should avoid applying a "two-tier" resolution regime for "systemic" and "non-systemic" banks, which could lead to unfair treatment of investors in different resolution or insolvency scenarios. In addition, the application of such a "two-tier" regime may be seen as a form of state aid per se, as "non-systemic" banks could potentially benefit from an implicit state guarantee on—and, consequently, reduced funding costs for—their senior liabilities (which could be subject to burden sharing under the BRRD/SRM framework, but not necessarily under the Banking Communication).

Finally, the adoption of different resolution approaches may give rise to possible issues for senior debt holders when the bank is approaching a point of non-viability, and to possible legal challenges to resolution actions taken by competent authorities.

A two-tier resolution regime for "systemic" and "non-systemic" banks could lead to unfair treatment of investors

The political angle of the EU approach

Looking at the negotiations that occurred at the EU level before the two Veneto banks were liquidated and in the broader context of the Italian banking crisis, the decisions taken by the EU authorities are likely to be read as the outcome of a political compromise allowing the Italian government to rescue its banking system.

A notable element of the SRB decision is that the simultaneous insolvency of two significant institutions subject to the direct supervision of the ECB and operating in the most productive region of the third national economy of the Eurozone, which were widely considered to be among the largest and most important lenders in Italy, was not considered to be "sufficiently serious" to trigger the application of the BRRD and SRM rules. It remains to be seen whether the SRB will take the same approach in similar cases rather than diverge from this precedent.

Italy claims that limited public support was given to its banks at the time when several EU banks were being bailed out. The problems emerged at a later stage, after stricter rules under the Banking Communication and BRRD came into force. In the last few years, Italian authorities have endeavored to restructure the Italian banking system without infringing EU rules, and have somehow managed to do so in an innovative way with a package of measures. These include introducing a state-guaranteed scheme to facilitate the securitization of NPLs (so-called GACS), sponsoring the creation of the Atlante fund, and promoting the use of "voluntary support" measures to distressed banks using the Italian depositary guarantee scheme. The Italian government has also granted extraordinary public financial support to some Italian lenders in the form of state-guaranteed bonds, state guarantees on emergency liquidity assistance or precautionary recapitalization. At the same time, it has introduced significant and long-awaited changes to the rules applying to popular and other cooperative banks, notwithstanding the opposition encountered from several stakeholders.

Meanwhile the Italian banking market went through a huge restructuring process, which is ongoing. Big popular banks have been transformed into joint stock companies; some of them have merged already and others are expected to consolidate their businesses. UniCredit successfully completed a €13 billion capital increase (the largest in Italian history), the "good banks" resulting from the resolution actions taken by the Bank of Italy in 2015 have been sold to UBI, and Banca Monte dei Paschi has been recapitalized through a capital injection by the state and the application of burden sharing measures to its shareholders and subordinated bondholders.

Within this context, the prospects for Italian banks after the rescue of BPVI and VB appear to be brighter and safer, if seen from the offices of EU institutions in Brussels and Frankfurt, and this has likely been the ultimate rationale underpinning the decisions taken with respect to the Veneto banks.

The way forward for Italian banks

Stronger initiatives need to be taken by Italian competent authorities to prevent mis-selling of financial products as well as to enhance the awareness of retail investors. MiFID2 will offer new tools to this end—including rules on product governance and intervention, independent advice, bundling of products, etc.—and should generally strengthen the supervision on product engineering and distribution to retail clients. These new requirements, coupled with a stricter approach by supervisors, could help channel an increased portion of retail investments towards financial products with no (or reduced) bail-in risks, at the same time inducing Italian banks to diversify their funding sources by issuing an increased portion of bail-in-able debt to institutional investors.

The new rules on the minimum requirement for own funds and eligible liabilities (MREL) that are currently being discussed at the EU level could facilitate this trend, by providing for more transparency on the composition of MREL-eligible capital and the possibility to split the senior debt class into "preferred" and "non-preferred" liabilities. This latter measure could allow Italian banks to offer instruments carrying a lower bail-in risk (such as "senior preferred" notes) to retail investors, while shifting a significant portion of the bail-in risk onto institutional holders of "senior non-preferred" notes and subordinated debt.

EU authorities should clarify the interplay between state aid rules and the BRRD/SRM framework

Further clarifications needed on EU state aid and resolution rules

EU authorities have unexpectedly proven to be flexible and open to different solutions when addressing the Italian banking crisis. This may be good news considering the magnitude of NPLs that must be disposed of by the European banking system as a whole and the additional restructurings that could affect EU banks. To a certain extent, Italy has been a forerunner in tackling the NPL problem through a mix of private and public instruments—including the use of national asset management companies—which are now also sponsored by the Council, and it is possible that some of the solutions tested in Italy will be used to facilitate the disposal of NPLs or restructure other distressed institutions in the EU.

However, such flexibility comes with legal uncertainties and potential risks for the Banking Union. EU authorities should clarify the interplay between state aid rules and the BRRD/ SRM framework in order to ensure that the EU banking resolution rules remain credible. Although protecting retail bondholders and non-insured depositors from burden sharing could be seen as a praiseworthy objective, doing so at the expense of legal certainty may not be desirable, as it could create competitive distortions in the internal market.

The Capital Requirements Regulation (CRR) requires credit institutions to hold their own funds in sufficient quantity and quality to address the various risks they are exposed to. In particular, they need to hold own funds in an adequate amount to be in a position to absorb potential losses arising from credit risk.

The amount of own funds a credit institution must hold with respect to credit exposures is not a statistical value but a risk-adjusted amount based on certain regulatory calculation methods. Since January 1, 2007, when the Basel II framework was fully implemented into European law, the EU framework allows credit institutions to use two different approaches when calculating their risk-weighted credit exposure, thereby determining the minimum amount of regulatory capital they must hold.

Whereas the standardized approach provides a calculation method where the risk parameters are predetermined by the relevant supervisory authority, the internal ratings-based approach (IRB approach)—established as part of Basel II—allows a credit institution to determine various risk parameters on the basis of internal historical data. Accordingly, Basel II (and its implementation into European law) enabled credit institutions to reduce the risk weights of their credit exposures compared to the standardized approach, potentially resulting in lower regulatory capital requirements.

The Basel Committee's proposal on reducing the variation in credit risk-weighted assets

However, the way in which credit institutions may use these calculation methods are under scrutiny. In March 2016, the Basel Committee on Banking Supervision issued a consultative document on reducing the variation in credit risk-weighted assets (RWAs) and placing constraints on the use of internal model approaches. The Committee proposed changes to the IRB approach to reduce the complexity of the regulatory framework, and improve the comparability by addressing the variability in the capital requirements for credit risk. In this regard, the proposals of the Basel Committee on Banking Supervision included the following:

Removal of the option to use IRB Approaches for certain exposures

Adoption of exposure-level, model-parameter floors to ensure a minimum level of conservatism for portfolios in relation to which IRB Approach remains available and

Reduction of the variability in RWAs for portfolios in relation to which the IRB approach remains available

The proposals sought to limit a credit institution's ability to benefit from the use of internal models by introducing input floors that would constrain risk parameters for specific portfolios and by setting a minimum output floor on the basis of standardized models. The output floor was designed to mitigate model risk and measurement error stemming from internally modeled approaches that would place a limit on the benefit a credit institution derives from using its internal models for estimating regulatory capital. The Basel IV reform package also suggested that internal models may no longer be used for certain exposures, such as large corporates and specialized lending exposures. In effect, the transposition of Basel IV would significantly increase the amount of RWAs, resulting in higher own funds requirements.

However, this proposal was blocked by the chairmen of all national supervisory authorities and central banks as the highest body of the Basel Committee, who voted against it on January 8, 2017. A European coalition led by the German Minister of Finance, Wolfgang Schäuble, was able to block the proposal against the will of the United States, as the decision-making process requires a consensus of the Committee members.

As the European banking sector widely uses and depends on the IRB approach, European supervisors were aware that the new proposal would have had adverse effects on the European market, while having nearly no impact on the US. This is because banks in the US have mostly recovered from the financial crisis of 2008, having robust balance sheets and primarily already use the standardized approach. Furthermore, the US securitization market is booming, allowing US banks to free up regulatory capital by selling securitized loans in the capital markets. Meanwhile, large European banks still struggle with their legacy portfolios, thus relying on the IRB approach to comply with regulatory capital requirements.

The current discussion on the use of IRB Approaches is not new. Instead, similar discussions and controversies between the US and the EU arose in the context of Basel II—then as now issues to be dealt with were the possibility of abusing internal models by tweaking the systems to lower the capital requirements, and the lack of comparability between banks and especially between credit institutions located in the US and Europe, respectively. In the US, the use of internal models is already restricted by the Dodd-Frank Act, resulting in the eligibility of internal models for only the 19 biggest US banks.

In the ongoing negotiations, the EU is therefore put in a situation where it is confronted with reasonable criticism of internal models. In addition, it has to defend regulatory advantages European banks currently benefit from.

34%

The average risk weight on certain asset classes may be raised from 26% to 34% following the introduction of TRIM

Institutions should, however, in all circumstances explore the options at hand as change, in whatever form it may eventually come, is on its way

Assessment of the European Central Bank

As a response to the issues described above, the European Central Bank (ECB) has released a new explanatory statement on its Targeted Review of Internal Models (TRIM) on February 15, 2017. TRIM was launched in late 2015 and is expected to be finalized in 2019. The project is expected to assess the overall reliability and comparability of the internal models currently used and whether they comply with regulatory requirements. It also aims to reduce regulatory arbitrage which allows banks to exploit inconsistencies and create unwarranted variability in their risk models compared with those of rivals. Danièle Nouy, Chair of the Supervisory Board at the ECB, said in an interview in 2015: "We will start with the banks that markedly understate their capital requirement through the use of their models; our aim is to find out whether that is justified or whether the parameters need to be adjusted."

In July 2016, the ECB published a research paper on IRB risk assessment, which depicted that the internal models currently used may not be reliable. The paper compared the actual default rates of recent years with the results of the IRB Approach and the standard model in the German banking sector. It concluded that at the aggregate level, reported probabilities of default and risk weights were significantly lower for portfolios that were assessed in accordance with the IRB approach, compared with those assessed under the standard approach. By contrast, ex-post default and loss rates went in the opposite direction: Actual default rates and loan losses were significantly higher among the IRB portfolios compared with the portfolios assessed in accordance with the standard approach.

The initial reaction by individual banks to the introduction of TRIM by the ECB in 2017 suggests that the average risk weight on certain asset classes (such as mortgage portfolios) may be raised from 26 percent to 34 percent. Other analysts suggest that TRIM could hit CET1 levels by as much as 60 basis points. Accordingly, the impact of TRIM on the balance sheets of European banks should not be underestimated.

While maintaining the possibility of banks using internal models, the ECB wants to ensure that they are being used appropriately. In a statement on February 15, 2017, the ECB explicitly answered the question as to whether internal models will continue to exist after the finalization of Basel IV: "[…] ECB believes that internal models can play a useful role in determining regulatory capital according to the institution's risk exposure, provided that certain conditions are met: risks must be modeled adequately and models must give consistent results."

This approach and the timing of the explanatory statement lead to the conclusion that the ECB's intention is to weaken the arguments brought forth by the critics of internal rating systems and thus establish a solid foundation for future discussions in the Basel Committee.

However, the results of the TRIM exercise remain to be seen. The ECB wants more consistency and adequacy in model outputs and comparability of risk-weighted exposure amounts. This is similar to the approach pursued by the European Banking Authority (EBA) in the draft regulatory technical standards it published in July 2016. The standards look at the specification of the assessment methodology for competent authorities regarding compliance of an institution with the requirements to use the IRB Approach.

Internal models should not be removed, as they are too important for the European banking sector, but some European banks should be braced for higher risk weights, particularly when it comes to on non-performing loan portfolios (NPLs). For example, most of the Italian banks apply zero risk weight for such non-performing loans, which does not reflect the real economic risk and lacks the necessary comparability for investors.

IRB models currently used by many banks may not be reliable

Outlook and solutions for credit institutions

The above considerations highlight that it cannot be said with certainty at this stage which models will be used by credit institutions to calculate their risk weights in the future. In particular, the complexity of the issues under discussion, as well as the ECB's ongoing TRIM process, raise questions about whether the review as envisaged will coexist with potential changes to the legislative framework or if such changes will be postponed and/or substituted by TRIM. Some suggest that instead of introducing output floors, increased transparency and disclosure requirements (for instance with regard to the breakdown of asset portfolios or the rationale behind increased capital requirements) would be better suited to improve market discipline and comparability between credit institutions' capital ratios.

The current reform on the capital treatment of securitization exposures as envisaged in the legislative package for a CRR amendment (Draft CRR) and for a Regulation of the European Parliament and of the Council laying down common rules on securitization and creating a framework for simple, transparent and standardized securitization (the STS Regulation) might serve as an indicator for future steps to be expected when calculating credit risk.

Both the review of internal models, as well as potential legislative changes with regard to the calculation of risk-weighted credit exposures, is likely to result in an increase in regulatory capital requirements due to significantly higher RWAs. Credit institutions therefore have to explore options to deal with the risks they are exposed to, thereby lowering their RWAs and, ultimately, the amount of regulatory capital they must hold. Risk-sharing and the transfer of certain risks from the respective credit institution's credit portfolio by means of a synthetic securitization transaction offer a viable solution in this regard, as the CRR provides for a more favorable calculation of risk-weighted exposure amounts and expected loss amounts if a significant portion of the credit institution's credit risk is transferred.

Which option credit institutions ultimately choose heavily depends on their current use of internal models. Institutions should, however, in all circumstances explore the options at hand as change, in whatever form it may eventually come, is on its way.

Regulators put their heads in the cloud

Financial Regulatory Observer (FRO): Why is outsourcing back at the top of the agenda for banks and supervisory authorities?

Andreas Wieland (AW): The first driver is the weak profitability of many banks, notably in Europe. While income from interest is plummeting, regulatory costs are sky-rocketing. Banks are forced to cut their cost base in order to thrive in the current highly competitive market. The existing IT structure of many banks is often outdated, too complex and therefore extremely costly. Banks need new and modernized IT systems, not only to cut costs but also to gain or maintain a competitive edge.

Jost Kotthoff (JK): Another key aspect driving outsourcing is digitalization and technical innovation. The uses of cloud services, grid computing and the distributed ledger technology (blockchain) are the most obvious examples of this, but there are other themes. Fintech companies and new challenger banks with innovative business models and lower cost structures are increasingly competing against traditional banks. These developments mean that for many banks the modernization of their IT systems has become the highest strategic priority at a time when banks have become more reliant on technology than ever before. The modern bank is often nothing more than a small people-driven front office and a huge automated and IT-based middle and back office. Nothing happens without the involvement of IT.

AW: Given this unprecedented degree of reliance on technology, it is not surprising that supervisory authorities focus more and more on IT risks. The monitoring and management of IT risks are today the key challenges for the risk management of financial institutions. In Europe, the European Central Bank (ECB) and other supervisory authorities have placed an increased focus on the IT infrastructure of banks and their vulnerabilities. Their central concern is that many banks rely on a multitude of complex, proprietary, individual and outdated solutions. The ECB has started to examine the IT infrastructure of many of the large banks. Many observers expect that this will increase the pressure on banks to increase and accelerate their investment in IT.

Weak profitability of many European banks is one of the top drivers for outsourcing

FRO: How about cloud-based solutions? Are banks ready to embrace the new technology?

JK: Definitely. The large IT providers are currently marketing their new cloud products to the financial industry. These cloud solutions are extremely attractive for banks, both from a technological and cost perspective. We see more and more banks looking into moving data and functionalities into the cloud. Cloud solutions allow "pay-as-you-go" models and flexible and automated IT infrastructures, which enable banks to achieve significant cost savings and decisive competitive advantages. The technology further enhances the innovation process within the bank and decreases the "time-to-market" for new products.

AW: But the question is: Are regulators sufficiently prepared for the new technology? From a regulatory standpoint, many IT-related contracts qualify as outsourcing of essential services. Most supervisory authorities have issued a detailed framework for the outsourcing of essential services. These include features like comprehensive information and audit rights by supervisory authorities, detailed rules on sub-delegation, and, in some jurisdictions, on the instruction rights of the service recipient. The new cloud solutions can to a certain extent adapt to these requirements. But it is clear that some of these requirements cannot be implemented in the way we have become used to in the pre-cloud world. So far, many supervisory authorities have not issued specific guidance on how to implement regulatory requirements in a cloud world.

JK: Some supervisors, such as the Financial Conduct Authority (FCA) in the UK and the Monetary Authority of Singapore (MAS), have recently issued new guidelines for cloud solutions. In our view, it is very important that regulators and supervisory authorities develop clear and uniform regulatory standards for cloud solutions. This would provide a catalyst for banks to embrace the new technology and realize the related efficiency gains.

AW: In Europe, the European Banking Authority (EBA) recognizes the need for further harmonization and regulatory guidance. In May of this year, the EBA launched a consultation on draft recommendations on outsourcing to cloud service providers. The recommendations address some of the relevant supervisory requirements when outsourcing into the cloud. This includes topics like access and audit rights, security requirements, the location of data and data processing, chain outsourcing, contingency plans and exit strategies. It contains some innovative concepts, such as the possibility of conducting grouped audits to fulfill regulatory audit requirements. However, it remains doubtful whether the recommendations in their current form will provide the tailor-made, harmonized regulatory framework for outsourcing into the cloud that financial institutions and service providers hope for in order for them to embrace the new technology. I can only encourage financial institutions and IT providers and their industry associations to actively participate in the consultation.

FRO: What are the main challenges in the negotiation and implementation process for cloud solutions?

JK: In general, service providers render their cloud services on a "one-size-fits-all" basis. From an IT and risk management perspective, the sourcing of cloud services requires a paradigm shift: Rather than relying on a tailor-made IT framework and risk management set-up, the sourcing of cloud services requires the bank to accept standard procedures and to adjust their risk management and control procedures around the cloud product.

AW: This requires the relevant control functions at the bank to be involved at an early stage of the process. In addition, the specific regulatory requirements of the bank need to be reflected in the contractual documentation with the cloud provider. This can be a challenge in the negotiations.

FRO: Are cloud solution providers familiar with the supervisory rules?

AW: From our experience, many of the large cloud providers are aware of the regulatory framework. Some of them offer special regulatory packages to banks that are supposed to allow them to meet their regulatory requirements. Still, banks cannot assume these packages fully reflect their particular regulatory needs.

The rule book for internationally operating banks is fairly well harmonized, however, implementation of such rules often differs from country to country

FRO: How do international banks cope with the increased regulatory scrutiny around outsourcing?

AW: We now have detailed and sector-specific outsourcing rules throughout the European Union. This includes the Banking Directive, but also legislation like MiFID II, EMIR, UCITS V and AIFMD, which contain very specific outsourcing rules. As a result, we find a fairly harmonized rule book for internationally operating banks. However, the implementation and interpretation of such rules often differs from country to country. In addition, a banking group that also comprises asset managers or MiFID firms has to observe not only the outsourcing requirements for banks, but also for asset managers and MiFID firms. While these rules follow similar patterns in many respects, there are sectoral particularities that need to be kept in mind and may need to be reflected in the documentation.

JK: What is true for Europe becomes even more complex if a banking group is engaged in the United States and Asia, too. In particular in Asia, many countries have specific local particularities for outsourcings in their rule books. If an international banking group wants to roll out an IT solution for its worldwide operations and on a global scale, these country specifics need to be taken into account. We often deal with this challenge by negotiating country-specific schedules.

FRO: How does the new resolution framework influence the regulatory requirements for outsourcings?

AW: The new EU resolution framework for banks has a considerable influence on the structuring of outsourcings and their documentation. The so-called resolvability of a banking group has become one of the crucial areas of focus for supervisory and resolution authorities. This means that the bank needs to ensure that it has continued access to critical outsourced activities even in the event of a resolution involving the bank. Regulators are very focused on how outsourcing arrangements will work in a recovery and resolution environment, particularly for banks that support critical economic functions and use outsourced services to support them. Regulators are subjecting banks to real time reviews and challenges as to the robustness of their legal arrangements including challenging how robust arrangements can be as best as possible legally secured in cross border branch to branch outsourcing, where the same legal entity is involved but different regulators are looking at different physical set ups.

JK: In the outsourcing contract with the external service provider, it must be ensured that in a potential split-up of the bank into a good and a bad bank, the involved entities continue to be able to draw on the services in an uninterrupted way. The European and related national resolution frameworks provide for the respective powers of resolution authorities to ensure this. However, resolution authorities and in some jurisdictions the applicable laws require this to be set out explicitly in the outsourcing contract. Many service providers still are not aware of this requirement, and we spend a lot of time explaining to them why the bank needs respective clauses in the outsourcing contract.

Cybersecurity: Regulators show their teeth

US regulators usually issue cybersecurity guidance instead of regulator standards and requirements. That changed on March 1, 2017, when the Superintendent of New York's Department of Financial Services (NYDFS) exceeded federal efforts and put into effect Cybersecurity Requirements for Financial Services Companies (Cybersecurity Regulation).

Following a spate of cyber-attacks and breaches of customer confidentiality, the NYDFS declared that for certain financial institutions operating in New York "regulatory minimum standards are warranted". Although this edict directly applies only to banks, insurance companies and other financial services institutions specifically regulated by the NYDFS, (i.e., with operations subject to the jurisdiction of the NYDFS), financial institutions are finding that the requirements may apply indirectly to foreign headquarters and branches located throughout the world.

Purpose and requirements

The Cybersecurity Regulation is an ambitious regulatory initiative not limited to protecting consumer privacy. Rather, by focusing on all nonpublic information (including business confidential information unrelated to individuals) as well as on network stability, the NYDFS requires that its regulated entities, "ensure the safety and soundness of the institution," while also protecting their customers. The Cybersecurity Regulation was promulgated to address the growing concern of financial industry regulators with the vulnerability of personal, financial and business data processed by NYDFS-supervised organizations and to protect the associated level of security of their information technology systems against systemic harm.

The NYDFS's methodology for entities to achieve the agency's desired result involves a mix of risk management principles and compliance demands. At its core, the Cybersecurity Regulation requires an extensive list of regulated entities to implement and maintain a thorough 14-point cybersecurity policy with requirements that range from asset management to incident response. Covered organizations (and individuals) are required not only to consider "relevant risks" to their business, but also to "keep pace with technological advances."

The minimum standards imposed on organizations and individuals under the Cybersecurity Regulation address several areas, including:

Requiring certain physical, administrative and technical controls to ensure that an organization's cybersecurity program addresses cybersecurity risks, and protects nonpublic data and the information systems, including written cybersecurity policies and procedures, encryption, multi-factor authentication, penetration testing and risk assessment

Implementing a corporate governance framework that involves participation and oversight at all levels —from vendors to the board of directors —and requires reporting to executive management on evolving cybersecurity risks to facilitate necessary revisions to the cybersecurity program

Submitting an annual certification, prepared by executive management, to the Superintendent of the NYDFS confirming compliance with the Cybersecurity Regulation, and documenting necessary material improvements to the cybersecurity program

Developing and implementing a written incident response and remediation plan addressing internal incident response processes, goals of the response plan, delineation of clear roles and responsibilities for incident response decision-making authority, external and internal communications, requirements for remediating cybersecurity weaknesses, cybersecurity event and incident response documentation and reporting, and evaluation and revision of the plan. Some organizations may qualify for relief from certain or all compliance obligations under the Cybersecurity Regulation if they fall under one or more of nine exemptions. These exemptions may be available based on the size of an organization, reliance on the cybersecurity program of another related entity, access or control over nonpublic information or information systems, or designation as a special insurance or reinsurance entity. Absent an exemption, organizations that fail to comply with the Cybersecurity Regulation may be subject to penalties and enforcement actions by the Superintendent of the NYDFS under existing law.

14-point

Cybersecurity Regulation calls for a 14-point cybersecurity policy for all regulated entities

Global reach

Importantly, the Cybersecurity Regulation has an extraterritorial reach that extends well beyond the regulated entity itself. Typically, many large enterprises gain business efficiencies and closer coordination between their subsidiaries and affiliates by deploying a unified information technology platform with centrally managed security. Thus, if a segment of the enterprise, however small, falls under the jurisdiction of the NYDFS, the enterprise's broader program may effectively fall under its watchful eye and will have to meet the Cybersecurity Regulation's requirements to the full extent it is relied upon by the enterprise's NYDFS-regulated entity. In these instances, all the relevant documentation and information about the larger program must be made available to the NYDFS upon its request. Similarly, when regulated entities use vendors, NYDFS requirements exist to ensure the appropriate level of security for the information and systems that are accessible to, or held by, third-party service providers.

For foreign organizations with branches, employees, subsidiaries or affiliates operating in New York State, the reach of the Cybersecurity Regulation warrants full attention and consideration. If a foreign organization determines that the Cybersecurity Regulation applies to its affiliates, third-party service providers or employees operating in New York, then the organization could be beholden to the NYDFS for cybersecurity program inquiries. This could mean, for example, that a foreign-based organization's overall cybersecurity program documents and practices may be open for review and inspection by the Superintendent of the NYDFS based on its New York operations thousands of miles away from its core and broader operations and activities, including across multiple jurisdictions. It could also mean that foreign third-party vendors who provide cybersecurity program services to the organization or its affiliates may be subject to certain obligations under the Cybersecurity Regulation.

This potential reach of the Cybersecurity Regulation raises legitimate jurisdictional concerns about a local regulator's ability to obtain insight into the network security of a global enterprise, regardless of where the company is headquartered. In addition, foreign companies could begin to see compliance costs rise due to conflicting cybersecurity standards set forth under other laws, such as the General Data Protection Regulation, or if other states in the US, or other countries, begin to promulgate similar regulations that are not harmonized with New York's Cybersecurity Regulation. Thus, companies should be aware that aspects of their enterprise-wide cybersecurity programs and controls could come under the ambit of the NYDFS and prepare accordingly. For enterprises with significant worldwide operations, failing to appreciate the potential reach of the NYDFS under the Cybersecurity Regulation could present significant issues.

Cybersecurity Regulation has an extraterritorial reach that extends well beyond the regulated entity itself

72-hour incident reporting

The Cybersecurity Regulation also requires covered entities to notify the superintendent within 72 hours of its determination that an act or attempt, whether or not successful, was made to gain unauthorized access to, disrupt, or misuse, an information system or the information stored on it, to the extent that (a) notice is required to be provided to any government body, self-regulatory agency or any other supervisory body; or (b) the event has a reasonable likelihood of materially harming any material part of the entity's normal operations. To determine whether an unsuccessful act or attempt is reportable, organizations will want to consider whether defending against it was routine in nature or required taking measures "well beyond" those ordinarily used.

C-suite-level involvement

The significance of the global reach and tight 72-hour incident reporting timetable of the Cybersecurity Regulation is amplified by the requirements placed on officers and directors of a covered foreign organization to oversee and manage the cybersecurity program applicable to its New York operations, and to document their review, understanding and approval of the program. Should the NYDFS request a review and access to an organization's cybersecurity program, the role and involvement of the organization's officers and directors in implementing the program will come under scrutiny. Therefore, in addition to appreciating the extraterritorial reach of the Cybersecurity Regulation outside of New York, senior officers (and boards of directors) should focus on the following obligations: ESMA anticipates that legal questions will arise as the technology develops and its applications become more visible. It believes that it is too early to gain a complete understanding of the changes that the technology may introduce and that any regulatory action would be premature.

Review and approve the organization's written cybersecurity policy and ensure that it addresses the specifically enumerated topics under the Cybersecurity Regulation. The cybersecurity program should consider not just personally identifiable information, but all nonpublic business-related data as well as the resilience of key systems

Confirm that the annual report from the chief information security officer (CISO) is generated and provided to the Board. The Cybersecurity Regulation specifically requires the CISO to provide a written report to the directors on the cybersecurity program and any material risks

Ensure that the organization's risk assessments, third-party service provider policies, and incident response and remediation plans are tracked and documented. This documentation is necessary for officers and directors to annually certify that they have reviewed the documentation and that the organization's cybersecurity program is compliant with the Cybersecurity Regulation. Should the superintendent request review of the cybersecurity program, then the documentation provides proof of compliance

Become familiar with the organization's existing documentation procedures and adjust as necessary. Executive management should seek guidance on how to limit documentation only to what is necessary to show compliance, taking into account any applicable legal privileges

Enforcement actions againts US-based entities may implicate foreign interests on a potentially much larger scale than many firms may reasonably anticipate

Vigorous compliance

The Cybersecurity Regulation is intended to protect individual and business-confidential information related to financial institutions, and the integrity and availability of such data, as well as an organization's networks and applications. In promulgating the Cybersecurity Regulation, the NYDFS is attempting to protect a critical infrastructure important to New York—the banking and finance industry. As a result, the NYDFS is expected to vigorously pursue and monitor compliance with the Cybersecurity Regulation, which could result in enforcement actions against US-based entities that may implicate foreign interests on a potentially much larger scale than many firms may reasonably anticipate. Based on recent history, the New York operations of non-US banks have been a frequent target of the NYDFS (with respect to other issues, to include anti-money laundering and sanctions compliance programs and enforcement); it is reasonable to assume these institutions will continue to be within the NYDFS's sights. Given the extraterritorial reach of the Cybersecurity Regulation and the NYDFS's willingness to exercise its reach in other contexts, organizations near and far should take heed, and be prepared to act quickly.